Prestige

Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[1]

ID: S1058
Type: MALWARE
Platforms: Windows
Contributors: Mindaugas Gudzis, BT Security
Version: 1.0
Created: 20 January 2023
Last Modified: 24 February 2023

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Prestige can use PowerShell for payload execution on targeted systems.[1]

Enterprise T1486 Data Encrypted for Impact

Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.[1]

Enterprise T1484 .001 Domain Policy Modification: Group Policy Modification

Prestige has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.[1]

Enterprise T1083 File and Directory Discovery

Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.[1]

Enterprise T1490 Inhibit System Recovery

Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.[1]

Enterprise T1112 Modify Registry

Prestige has the ability to register new registry keys for a new extension handler via HKCR\.enc and HKCR\enc\shell\open\command.[1]

Enterprise T1106 Native API

Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.[1]

Enterprise T1489 Service Stop

Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using C:\Windows\System32\net.exe stop MSSQLSERVER.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[1]

References